TDSS Malware Infecting Fortune 500 Includes Evasion Tactic

Hard-to-kill malware spotted in the wild includes a domain generation algorithm in the communications with its command-and-control infrastructure to make it harder to detect and eliminate. Use of such a tactic is part of a growing trend among malware threats as attackers look to thwart security.

A new edition of the notorious TDSS malware has been spotted using a domain generation algorithm (DGA) in communications with its command-and-control (C&C) as it spreads throughout enterprises.

Also known as TDL4, TDSS works by infecting master boot records, which has made it difficult for security programs to destroy. At one point, security researchers reported, the malware had built a botnet of 4.5 million victims. In 2011, it was linked separately to the spread of the notorious DNSChanger Trojan, which was at the center of an FBI takedown operation last year.

According to IT security technology company Damballa, the latest discovery led to a new understanding of the malware's C&C infrastructure, which appears to be managing multiple versions of the malware across more than 250,000 infected victims worldwide. In collaboration with the Georgia Tech Information Security Center, Damballa researchers launched a sinkhole operation using some of the malware's domains to gather evidence about the command-and-control structure.

The researchers discovered that the latest version of the malware has infected computers at 46 of the Fortune 500. Other victims include government agencies and ISP networks. The C&C traffic captured by the sinkhole also yielded new details of a click-fraud operation leveraging DGA-based C&C to provide status reports about the fraud operation's successes so the information could be used by the criminal operators to provision the entire fraud campaign. Some of the top hijacked domains in the click fraud operation include, and

In all, a total of 85 C&C servers and 418 unique domains were labeled as being related to the malware, with Russia, Romania and the Netherlands hosting the most C&C servers.

Domain generation algorithms (DGA) are traditionally used as a way to evade signature-based detection systems and static blacklists, explained Manos Antonakakis, director of academic sciences for Damballa. Using the tactic–which is also known as domain fluxing–allows the attacker to exploit the inability of network security systems to recognize and block the latest active domain names, he told eWEEK. The technique has become popular among malware authors, and has been adopted by Trojans such as Zeus and BankPath, he added. Pseudo-random domain generation has also been used by the Blackhole exploit kit to make attacks more persistent.

"As we previously reported, the rate at which DGA-based communications techniques are being adopted, and their ability to elude the scrutiny of some of the most advanced malware analysis professionals, should be of great concern to incident response teams," Antonakakis said in a statement.

"By adding elusive DGA C&C capabilities to malware that already evades detection and circumvents best practices in remediation by infecting master boot records, TDL4 is becoming increasingly problematic," he added. "With its known ability to act as a launch pad for other malware, and TDSS' history of sub-leasing access to their victims, these hidden infections in corporate networks that go undetected for long periods of time are the unseen time bombs that security teams work so hard to uncover."